Linux Unleashed, Third Edition:File and Directory Permissions





-->















Previous
Table of Contents
Next




Groups
Files (and users) also belong to groups. Groups are normally used in larger installations, and it may be that you never have to worry about them. But remember that groups are a convenient way of providing access to files for more than one user but not to every user on the system. For instance, users working on a special project could all belong to the group project. Files used by the whole group would also belong to the group project, giving those users special access.
Groups are typically used for logical groups of users. The example above uses a project as the grouping, but groups can be used for different departments, types of users (administrator, accounting, programmers, and so on), or for locations on a large network.
You are a member of one group at all times. When you log in you are placed in your default group, which is set when root creates your user account. You can belong to many different groups, but you can be logged in to only one group at a time. To change the group you are a member of, use the newgrp command. For example, if you are a member of a group called users and also a group called programmers, and you need to change to the programmers group because they have special access to a compiler, issue this command:


newgrp programmers


Linux does not tell you which group you’re in. Usually the only way to find out which group is active is to save a file and then look at the permissions. If you try to change to another group that you don’t belong to with newgrp, Linux will give you a friendly warning like this one:


newgrp programmers
newgrp: Sorry


Changing Group Ownership
You’ve already seen how to change the ownership of a file. You might also want to change the group owner. To change the ownership of a group, you don’t have to belong to the group, but you must own the file. Before you can begin, Linux first checks that the group exists.

The chgrp command is used to change the group the file belongs to. It works just like chown:


chgrp <group> <filename>


For example, to change the ownership of the file book to a group called editors, issue this command:


$ l book*
-rwxr-xr-x 2 tparker group 4512 May 9 09:20 book
$ chgrp editors book
$ l book*
-rwxr-xr-x 2 tparker editors 4512 May 9 09:20 book


You can use wildcards with both chown and chgrp, as the following example shows:


$ l book*
-rwxr-xr-x 2 tparker group 4512 May 9 09:20 book1
-rwxr-xr-x 2 tparker group 4625 May 9 09:21 book2
-rwxr-xr-x 2 tparker group 7834 May 9 09:22 book3
$ chown bills book*
$ l book*
-rwxr-xr-x 2 bills group 4512 May 9 09:20 book1
-rwxr-xr-x 2 bills group 4625 May 9 09:21 book2
-rwxr-xr-x 2 bills group 7834 May 9 09:22 book3
$ chgrp editors book*
$ l book*
-rwxr-xr-x 2 bills editors 4512 May 9 09:20 book1
-rwxr-xr-x 2 bills editors 4625 May 9 09:21 book2
-rwxr-xr-x 2 bills editors 7834 May 9 09:22 book3


Notice that the chgrp and chown commands don’t affect anything else about the file, such as the date and time it was created or the permissions in the first field.
File Permissions
Since the early days, UNIX has tried to set up a flexible, powerful, yet simple set of file access permissions that balances security with convenience. The approach UNIX (and hence Linux) takes is simple. It sets only three different types of access (called permissions) that you may have on a file or directory. These are read, write, and execute permissions.

Having read permission to a file enables you to look at the file’s contents. In the case of a directory, read permission lets you list the directory’s contents using ls.
Write permission enables you to modify (or delete) the file, even if you are not the owner. In the case of a directory, you must have write permission in order to create, move, or delete files in that directory.
Execute permission enables you to execute the file by typing its name. This has no effect if the contents of the file can’t be understood by an application. For example, having execute permission on a file that has statistical data in it won’t allow you to run it. On the other hand, if the file is a statistical analysis program, it needs execute permission for it to run. With directories, execute permission enables you to cd into them.
So, we have three types of permissions: read, write, and execute. UNIX separates all users on the system into three categories based on the ownership of the file or directory. There is one set of permissions (read, write, and execute) for the owner, another set (read, write, and execute) for anyone in the group that owns the file, and a third set (read, write, and execute) for everyone else on the system (called other or world). The three sets of permissions are written one after another in a consistent format. The permissions are always in order of read, write, and execute; first for owner, then for group, then for other.
That’s nine bits of information to indicate the permissions of the file or directory. These bits always appear in a block of ten and are the first thing you see in a long directory listing. The first character is special and indicates whether the entry is a file or directory (there are a few other valid values, but we won’t bother with them now). For a concrete example, let’s look at the long directory listing for myfile again:


-rw-r--r-- 1 fido users 163 Dec 7 14:31 myfile


The first character of the permissions is -, which indicates that it’s an ordinary file. If this were a directory, the first character would be d. The next nine characters are broken into three groups of three, giving permissions for owner, group, and other. Each triplet gives read, write, and execute permissions, always in that order. Permission to read is signified by an r in the first position, permission to write is shown by a w in the second position, and permission to execute is shown by an x in the third position. If a particular permission is absent, its space is filled by -.



Previous
Table of Contents
Next